By Matthew Nitkoski
In late March of this year, Baidu CEO Robin Li stirred up controversy while speaking at the China Development Forum in Beijing. When asked for his opinion on using personal data for reform, Li said, “I think Chinese people are more open and less sensitive about the privacy issue. If they are able to trade privacy for convenience, safety, or efficiency – in many cases, they are willing to do that.” Li’s comments inspired a spirited debate in China’s online community as netizens mulled the implications of his statement. As the CEO of one of China’s most well-known companies, Li’s comments instantly went viral, but the issues they raised didn’t die away – one month later another local incident would rekindle Chinese interest in personal privacy norms.
In April, artist Deng Yufeng paid around US $800 for the personal records – including names, phone numbers, and shopping history – of 346,000 Chinese citizens. These personal records hung in a local museum in Wuhan for two days until police shut down the exhibition after learning that Deng had illegally obtained the information by contacting black market data peddlers through QQ – a popular Chinese messaging app. While the exhibit was quickly shuttered, the story and its implications resonated with Chinese netizens who wondered at how easily their own private data could be found and bought online.
Although not the only controversial incidents to occur this year, these stories highlight emerging themes in Chinese privacy laws. First, there is a growing awareness among Chinese netizens of the dangers of exposing too much information online and – as Deng’s exhibit reveals – the potential consequences. Incidents of data theft are becoming more commonplace, with a recent data breach of Huazhu Group – a major Chinese hotel operator – exposing more than 500 million pieces of customer information. Second, while Beijing has laid down a rough framework of data privacy laws and standards, there is still considerable work to be done to fill in the gaps. According to Sara Xia, an attorney specializing in China Law at Harris Bricken, the China Cybersecurity Law is China’s first high-level law that defines personal information and regulates data privacy for all network operators. “The remaining standards and specifications in that law are currently optional, so there isn’t much with which companies must comply,” says Xia.
Developing the Framework
To establish basic rules and principles governing data privacy, Beijing enacted China’s Cybersecurity Law on June 1, 2017. While the law covers a wide range of activities concerning national security, sovereignty, and online threats, it also includes specific provisions covering the protection of personal data. For businesses operating in China, there are a few elements that deserve special attention.
Under China’s Cybersecurity Law, businesses and organizations that collect, store, and transfer Chinese citizens’ data can be divided into two principal categories. Network Operators are defined as network service providers as well as owners and administrators of networks. They are required to carry out regular security self-assessments to determine if they are handling sensitive data and, if so, submit themselves to further inspection from government authorities. Critical Information Infrastructure Operators (CIIO) must submit to the same requirements as network operators, but the businesses and organizations that fall into this category are also required to comply with additional regulations. This may include storing all personal information and data collected within mainland China and procuring certain IT products and devices from approved sources.
Another major data protection element was put into place on May 1, 2018 in the form of the Personal Information Security Specification. Modeled on Europe’s General Data Protection Regulation (GDPR), the Personal Information Security Specification seeks to borrow key concepts from foreign data protection laws while accounting for the specific idiosyncrasies of mainland China. For example, the specification lays out basic rules for consent – a private citizen’s acknowledgment that they understand where and how their data will be used. This specification, along with other measures dealing with cross-border data transmission and the “secondary uses” of personal data, provide an overarching framework covering data collection, storage, and transfer.
Taking Preventative Steps
For foreign businesses operating in China, one principle concern revolves around the storage of Chinese citizens’ personal data. According to Xia, businesses that fall under the CIIO umbrella are required to store critical information on the Chinese mainland. “CIIOs in critical industries such as energy, financial services, and telecommunications may be more vulnerable to threats, so these businesses and organizations must comply with additional, more stringent data protection regulations,” says Xia.
Furthermore, foreign businesses must pay close attention to new regulations as they are released. For example, there is currently no single agency in charge of data privacy regulations. As a result, numerous agencies have control over the elements and concepts laid down in the China Cybersecurity Law and supporting standards. As further details are released, the agencies ultimately charged with implementation and enforcement will have broad purview over how to interpret regulations, so future modifications could have sizeable impacts on data storage and transfer.
One final element includes the distinction between law and standards. The China Cybersecurity Law, while still awaiting further refinement, is binding law that compels businesses and organizations to comply. Additional elements such as the Personal Information Security Specification, however, are suggested standards or policy guidelines. The Security Specification and other draft guidelines will likely play a role in the development of future legislation, but for the moment, they are only standards.
Striking a Balance
The above-cited laws and standards highlight Beijing’s concerted efforts to establish clear rules and regulations governing data storage, information transfer, and personal privacy. What may not be evident, however, are the competing interests driving Beijing to strike a compromise between data privacy and accessibility.
On the one hand, Chinese policy makers have identified a critical need for rules and regulations governing data privacy. They’ve begun by laying out broad terms and definitions to determine how companies adapt and instituted standards that will shape future laws and regulations. Although vague, these laws and standards give policymakers ample room to shift and adapt their regulations as they see how companies react.
On the other hand, 800 million Chinese internet users continue to churn out massive amounts of valuable data – data that fuels AI, machine learning, and other high priority tech projects. China’s most recognizable international companies rely on this data to continue the breakneck development that they hope will thrust China to the forefront of global technology developments. With the strengthening regulatory regime set to have a chilling effect on domestic companies’ growth, leading tech giants such as Baidu, Alibaba, and Tencent are using their own clout to push back on some of the more stringent requirements.
With the stakes set high, policymakers find themselves searching for a proper balance between regulations that provide an adequate level of security while still leaving room for tech companies to thrive. While Beijing always has the final say, the interaction between the public sector, private business, and citizens will ultimately lead to the further refinement and development of China’s data protection laws.
Matthew Nitkoski manages the Business Development Team for a technology company in Washington D.C. He has a MA in International Affairs from The George Washington University where he specialized in US-China relations and East Asian Economics. With over 2 and a half years of experience living in mainland China, he is an avid follower of China’s technology and economic developments.